this flag (which is recommended) limits drone's git access to the clone step. Making submodule cloning not possible in private/auth-required git scenarios for submodule initialization.
Extra information
I found some old documentation that implies this behavior used to exist.
I also believe drone uses that git pluginalready to perform the initial cloning, so hopefully this is not a bear to implement.
See:
Note that Drone uses the git plugin by default for all repositories, without any configuration required.
I see this comment from 2019 but I do not know if this being impossible with the recommended security configuration was considered in the decision to remove this. I believe this can be mitigated by updating the docs to specify the extra submodules step first and only mentioning recursive: true as a backup for specifically this scenario, only supporting https.
I think with my company's current security concerns working around this would be... rough. Id probably need to inject an ssh-key via secrets, use sed to alter the .gitmodules configuration to use a git+ instead of https, and pray the team does not fire me for jank.
Very rude tag
@bradrydzewski Sorry for the tag bradrydzewski, but given you seem to be very directly involved with:
the decision to unsupport this.
the old documentation that supported this.
I wanted to make sure you got right-of-first refusal here.
How does this work right now
Drone's cloning documentation suggests that for repositories with submodules one should add a separate submodule fetch step:
there also exists this plugin which can be used to similar effect by:
--recursive
flag enabled.What I would like to happen
In the
clone
configuration, allowrecursive: true
which should work like https://plugins.drone.io/plugins/git, initializing submodules.Ok but why
DRONE_NETRC_CLONE_ONLY
this flag (which is recommended) limits
drone
's git access to theclone
step. Making submodule cloning not possible in private/auth-required git scenarios forsubmodule
initialization.Extra information
I found some old documentation that implies this behavior used to exist.
I also believe
drone
uses that git plugin already to perform the initial cloning, so hopefully this is not a bear to implement.See:
I see this comment from 2019 but I do not know if this being impossible with the recommended security configuration was considered in the decision to remove this. I believe this can be mitigated by updating the docs to specify the extra submodules step first and only mentioning
recursive: true
as a backup for specifically this scenario, only supportinghttps
.What I will do if this is denied to work around
hope for an idea in the harness slack?
I think with my company's current security concerns working around this would be... rough. Id probably need to inject an ssh-key via secrets, use
sed
to alter the.gitmodules
configuration to use agit+
instead ofhttps
, and pray the team does not fire me for jank.Very rude tag
@bradrydzewski Sorry for the tag bradrydzewski, but given you seem to be very directly involved with:
I wanted to make sure you got right-of-first refusal here.